For some reason it’s not straight-forward to create new credentials for an existing Service Principal account in Azure Active Directory using PowerShell.

I’m using PowerShell, because I’m not an Azure AD admin in my current organization, but as a developer, I am able to create and manage service principal accounts. This is extremely convenient, because we use them for automated deployments to Azure.

We started using Azure DevOps release management about a year ago, and thus I recently encountered the first credential expiration of a service principal that was used by Azure DevOps to deploy resources to Azure. This makes sense, because service principal credential lifetime defaults to one year.

A deployment which worked earlier today just failed with the error message

AADSTS7000222: The provided client secret keys are expired.

Checking the Service connection in Azure DevOps showed the same error:

Verify Connection failed because the client secret keys are expired

OK, so just create new credentials, and then update the Service Connection in Azure DevOps.

But that’s not as easy as I would like it to be.

Luckily, finding the Service Principal is easy. The Service Connection window in Azure DevOps (the screenshot above) contains the Service Principal’s “Application ID”. Now, it’s not called that in the screenshot, because the Application ID, Client ID, and many other names mean the same thing when talking about Azure AD.

But take the “Service principal client ID” from the above window, and run this PowerShell command: